Forgot your password?
typodupeerror
Privacy Security The Internet Your Rights Online

Mediacom Using DPI To Hijack Searches, 404 Errors 379

Posted by CmdrTaco
from the well-thats-not-cool dept.
Verteiron writes "Cable company Mediacom recently began using deep packet inspection to redirect 404 errors, Google and Bing searches to their own, ad-laden 'search engine.' Despite repeated complaints from customers, Mediacom continues this connection hijacking even after the user has opted out of the process. Months after the problem was first reported, the company seems unwilling or unable to fix it and has even experimented with injecting their own advertising into sites like Google. How does one get a company infamous for its shoddy customer service and comfortable, state-wide cable monopolies to act on an issue like this?"
This discussion has been archived. No new comments can be posted.

Mediacom Using DPI To Hijack Searches, 404 Errors

Comments Filter:
  • HTTPS (Score:5, Informative)

    by The MAZZTer (911996) <megazzt@gm[ ].com ['ail' in gap]> on Wednesday April 27, 2011 @09:38AM (#35952010) Homepage
    Can't touch this! [google.com]
    • by Ice Tiger (10883)

      Yup, time for the web to go to HTTPS.

      • Re:HTTPS (Score:5, Insightful)

        by betterunixthanunix (980855) on Wednesday April 27, 2011 @09:47AM (#35952104)
        $10 says that ISPs will encourage their customers to use special "installation disks," which add an ISP's signing certificate to the list of trusted CAs and then start using MITM attacks. It takes more than HTTPS, it takes users who both care and understand what they are doing.
        • Re: (Score:2, Troll)

          by Palmsie (1550787)

          When have users ever cares or understood what they are doing? This is the entire premise of the Apple machine. They assume you don't; look how popular that has become.

          • Re: (Score:2, Insightful)

            by david.emery (127135)

            Someone please mod as troll.

            • Re: (Score:3, Interesting)

              by erroneus (253617)

              No, he's essentially correct.

              Those days are essentially behind us, generally speaking, but you can't tell me that you never met someone who proudly stated "I'm computer illiterate" before? The primary draw of Mac OS was "it's so easy!" And it was! It also meant it would take a back seat to most of the newest and cutting-edge stuff, but the "easy" crowd didn't care about cutting-edge anyway... sounded dangerous after all.

              Like it or not, "easy" was a primary marketing point for Apple. And seriously, even

              • Re:HTTPS (Score:5, Insightful)

                by david.emery (127135) on Wednesday April 27, 2011 @10:44AM (#35952764)

                Short answer, yes. When I'm working on software/systems architecture standards, etc, there is a disproportionate number of Macs around the room. The value of the Mac as a platform is that it can be simple, but that it also has the full power of Unix underneath. That makes the platform appealing to both those who don't want to have to mess with their computers (like my mother) and to those of us who routinely use "su" and other such facilities. A lot of what I know about working on Unix machines fully transfers over to the Mac.

                Making a machine easy to use is not necessarily correlated with ignorant users. A strong platform should support users at all levels.

          • by gstoddart (321705)

            When have users ever cares or understood what they are doing? This is the entire premise of the Apple machine. They assume you don't; look how popular that has become.

            Well, maybe not fucking around with things like the registry is a really good thing. Every time I see an MS article that starts off with regedit, it's pretty easy to see why the users don't want to care or understand how to do the really arcane shit. That was a crappy system when they introduced it, and it's not really any better now.

            If the

            • Re:HTTPS (Score:4, Informative)

              by yuna49 (905461) on Wednesday April 27, 2011 @11:26AM (#35953340)

              Like it or not, the ISP is treated like a phone company

              No, the problem is that ISPs are not treated like a phone company. They're not regulated as common-carriers. The FCC considered re-categorizing ISPs as a "Title II" telecommunications service, but backed away after Congressional opposition. Now the Commission is proposing a "third way" which seems unlikely to satisfy either the ISPs or their critics. Here's a quick summary: http://www.engadget.com/2010/05/06/fcc-outlines-new-third-way-internet-regulatory-plan-will-spli/ [engadget.com]

              To my mind, ISPs shouldn't be able to process traffic based on anything other than packet headers. Their job is to take a packet I create and deliver it to its intended destination. (Yes, yes, QOS, etc. Whatever is in the headers is fine by me.) DPI equipment should be banned. Anything else offers too many opportunities for censorship and manipulation.

              • by gstoddart (321705)

                No, the problem is that ISPs are not treated like a phone company. They're not regulated as common-carriers.

                Sorry, yes. Exactly correct ... I meant that to the end user, the ISP is treated the same as the phone company. It's infrastructure, or at least, that's how people think of it.

                Heck, in a lot of cases, your ISP probably is the same as your phone company -- or at least your cable. In my case, it's all 3, plus my cell phones.

                To my mind, ISPs shouldn't be able to process traffic based on anything other

        • Are you going to paypal me or will you cut a check?

        • by Ice Tiger (10883)

          Even so it has now raised the bar for DPI and changing incoming HTML, in the days of AOL where you had to have software to use a modem I could see getting ISP signed certs installed on the userbase as very easy but now where a wifi router is the primary interface to the ISP am not so sure. Not to mention that the ISP has to get those certs onto Windows, Macs, iOS devices and Android too.

          Also what would the legal implication be of an ISP commiting a MITM attach on a customers HTTPS session.

          • Not to mention that the ISP has to get those certs onto Windows, Macs, iOS devices and Android too.

            Well, without specification regulations (ahem net neutrality) prohibiting this, couldn't an ISP just dictate that only certain operating systems are allowed to be used? That would make the task a whole lot easier. Windows and Mac OS X only? No problem for the ISPs.

            On the other hand, they could be a little less aggressive, and only perform the attack on customers who actually make use of the disk that they are given. You would be surprised as to just how many customers actually insert those disks in

        • Heck why not just inject browser exploit code into the customer's traffic? It's more eco-friendly and they're already MITM'ing customers anyways. There are already viruses out there that do this.

        • by DarkOx (621550)

          Right and I you should point out that if you don't install their certificate for the sites they are MITMing you will just get a certificate warning. Unless you can tunnel your traffic someplace else if they are redirecting destination port 443 to Google's net block your traffic is going to hit their proxy. You can accept it or refuse and not get the page.

          They can force most users to just live with it.

        • 'encourage their customers to use special "installation disks,"'? More like require. EVERY time there's a power outage in my area, I have to install AT&T's shitware in a VM just to get the DSL working. Of course they swear it's a problem on my end, caused by the power outage, but kicking the power on the surge protector does not reproduce the problem.

          The thing that galls me is that unwitting customers are installing the crap because AT&T redirects all traffic to a webpage that says "THE INTERNET NEE

        • by b4dc0d3r (1268512) on Wednesday April 27, 2011 @12:13PM (#35954026)

          I got Bellsouth DSL, because cable was not laid on my side of the street. I got the modem and an installation disk. I called and said I was not running an installation disk, please tell me what I need to do special for your connection, if anything.

          They said they understood, and I can do it at this web address. The website was basically blank. Are you using internet explorer? No of course I'm not. Well the site only runs in IE. I should have been suspicious, but figured they are idiots.

          ActiveX did exactly what the install disk would have done as soon as I opened the page in IE. I'm still finding bits of things. Motive*, MCCI*, att-nap. Of course, bellsouth was bought by ATT, and I was not pleased about finding that out either.

      • The web will likely need to go IPv6 first. When you connect to an HTTPS server, the certificate stuff takes place BEFORE your browser even tells the server what [sub]domain you are accessing, so you usually need a dedicated IP for each [sub]domain so the certificates can always match up.
        • Re:HTTPS (Score:4, Informative)

          by Scott Laird (2043) on Wednesday April 27, 2011 @10:02AM (#35952290) Homepage

          That's not exactly true; SNI allows for HTTPS multihoming, and it's supported by the HTTPS on pretty much every modern platform, *except* for Windows XP. Browsers that use Window's HTTPS code (most of them, IIRC) can't cope with SNI on XP, so no one actually uses it anywhere yet.

    • Re:HTTPS (Score:4, Informative)

      by cultiv8 (1660093) on Wednesday April 27, 2011 @09:56AM (#35952226) Homepage
      Yes they can [sonicwall.com]. From SonicWall's Press Release [channelinsider.com]:

      SonicOS 5.6 adds a new deep packet inspection (DPI) engine for SSL encrypted traffic, which has increasingly become a blind spot in many firewall, content filtering and data leak protection schemes today. Bad guys have begun using encryption technologies against the very security communities that made them popular, using encryption to avoid the HTTPS protocol to bypass filters and expose networks to malware attacks.

      • Re:HTTPS (Score:4, Insightful)

        by sverdlichenko (105710) on Wednesday April 27, 2011 @10:01AM (#35952284) Homepage
        No they can't. HTTPS inspection works only if user installed "trusted" certificate on his computer. This can be done in corporate environment, but not for home users.
        • Re:HTTPS (Score:4, Insightful)

          by mjeffers (61490) on Wednesday April 27, 2011 @10:43AM (#35952754) Homepage

          No they can't. HTTPS inspection works only if user installed "trusted" certificate on his computer. This can be done in corporate environment, but not for home users.

          That makes it sound like all an ISP would have to do is to put this certificate into an installer that provides it's users with "valuable connection tools and internet utilities". Ship a few CDs to customers and you'll get a large number of people installing and clicking through whatever dialogs pop up because they think they'll need to in order to get online.

          • by _0xd0ad (1974778)

            And if they're especially devious they'd just block everything that looks like HTTPS traffic until the user installs the certificate.

      • by Yold (473518)

        Isn't this public key encryption? You DO know how that works right? Even if the eavesdropper has the public key (transmitted across the wire), it won't do jack. Think of it as 1-way encryption.

      • The press release does mention that client proxy configuration is not needed, so clearly those boxes are more sophisticated than the quite-explicitly-and-by-design man in the middle that is the classic proxy server; but they fail to say that no client configuration is needed, which one would have expected, were it the case, to be touted as a feature.

        I suspect that doing DPI on SSLed traffic requires that the client be configured to trust certificates generated with a key that the firewall has access to,
    • Ad one more step. Use another DNS server or put the Real Google HTTPS IP address in the hosts file so the ISP can't redirect it with a corrupt DNS server.

  • by techsoldaten (309296) on Wednesday April 27, 2011 @09:40AM (#35952030) Journal

    File an anti-trust complaint and break up the monopoly. That is what those laws are for.

    • FTC Complaint (Score:5, Informative)

      by hotsauce (514237) on Wednesday April 27, 2011 @09:49AM (#35952142)

      In the short-term, an FTC Complaint (https://www.ftccomplaintassistant.gov/) works wonders due to their power to impose fines for every complaint.

      File early, file often.

      • by BigT (70780)

        Watch Mediacom block that site for their customers next. As well as any complaint site for the FCC/franchise authority/state attorney general's office/etc.

        • Re:FTC Complaint (Score:4, Insightful)

          by Nemesisghost (1720424) on Wednesday April 27, 2011 @10:27AM (#35952552)

          Watch Mediacom block that site for their customers next. As well as any complaint site for the FCC/franchise authority/state attorney general's office/etc.

          Before all the other hoopla about Net Neutrality became a CNN talking point, it was issues like this that caused me to want stronger regulations on ISPs. How long before other ISPs start doing the same thing? Will Mediacom start blocking /. because we exposed & brought this nefarious practice to light? What if this made it to CNN or some other major news outlet? If you don't already support Net Neutrality, maybe you ought to start thinking about it. It is the Free Speech Issue of our time.

    • Most cable companies are most heavily regulated by local franchise agreements. If I had Mediacom doing this in my area I would probably have to start attending city council meetings to speak against them at every opportunity. I have a terribly despised ISP in my neighborhood, but they have recently upgraded their network and have provided me with great service (I believe they do NXDomain crap, but I use OpenDNS. They do it too but I have at least chosen them).

      • Find out what jurisdiction awarded/oversees the Mediacom franchise and start with them. For what it's worth, Virginia's State Corporations Commission has been very responsive to my complaint about Verizon service.

    • by crovira (10242)

      Should have been done years ago.

      Its to bad we had to wait until Verizon's FiOS and AT&T's battle over data plans duking it out with ComCast & TimeWarner's networks to end up with a duopoly with two children at a time playing badly (and clearly illegally,) with other people's toys.

  • by nedlohs (1335013) on Wednesday April 27, 2011 @09:43AM (#35952060)

    Rant and rave about shitty their website is with all the damn flashing advertisements at the top of the screen. If enough people do this, then google might actually take a look instead of ignoring the idiot user complaining about the non-existant.

    Then given google is an advertising company they are likely to send the lawyers to stop said ISP from messing with their bread and butter.

  • Sue them (Score:5, Funny)

    by mangu (126918) on Wednesday April 27, 2011 @09:43AM (#35952064)

    What they are doing is fraud. Sue them and use *AA scales to calculate compensatory damages. Assume each false-404 corresponds to one music download, charge the normal $75000 per song.

  • "How does one get a company infamous for its shoddy customer service and comfortable, state-wide cable monopolies to act on an issue like this?""

    More regulation, obviously.

    • Re:Simple (Score:5, Insightful)

      by h4rr4r (612664) on Wednesday April 27, 2011 @09:49AM (#35952146)

      Not more, just better.
      Regulation Number 1. He who owns the fiber/copper may not provide service over it.
      Regulation Number 2. He who owns the fiber/copper must sell access to all comers for the same price.
      Regulation Number 3. He who provides the service may not own media companies.
      Regulation Number 4. If anyone gains more than 51% of the market, split the company in two.

      • by NevarMore (248971)

        Lets just implement directive 10-289 while we're at it.

      • Regulation Number 1. He who owns the fiber/copper may not provide service over it.

        Evasion Strategy Number 1: Make two companies, owned both by you (through sufficient indirections through holdings etc. to make this non-obvious). One holds the fiber/copper, one provides the service.

        Regulation Number 2. He who owns the fiber/copper must sell access to all comers for the same price.

        Evasion Strategy Number 2: Have that equal price so high that nobody will be interested, except for your service company (which is

        • by h4rr4r (612664)

          This is why you make duck laws. If it quacks like and duck and looks like a duck, its a duck.

          I would also highly suggest the service company be run like the post office.

  • by VortexCortex (1117377) <VortexCortex.project-retrograde@com> on Wednesday April 27, 2011 @09:56AM (#35952228)
    So, is this the reason why the Slashdot a banner ad: "Steven Feuerstein: Java Developers Should Know PL/SQL." is stretched to be the nearly size of a full screen, and disproportionately too? <checks source> Nope...

    Hey slashdot devs, Here's an ad for ya: "VortexCortex: Web Developers Should Know CSS/Algebra!"

    Not once have I disabled ads, satisfied to give Slashdot whatever meager income the ads provide, but this has forced my hand...

  • by GuldKalle (1065310) on Wednesday April 27, 2011 @09:56AM (#35952234)

    I'm not sure, but wouldn't this exclude them from common-carrier protections? If so, it should be fairly easy to make them provide you with illegal services (think gambling, not CP - no reason to get FBI on your ass).

  • by Zontar_Thing_From_Ve (949321) on Wednesday April 27, 2011 @09:59AM (#35952268)
    It's not exactly what the submission says. If you enter search data in the address bar it may redirect you to Mediacom's servers whether you opt in or not. However if you use the search bar it won't redirect you. This is considered unacceptable by the person who wrote the giant post in the "deep packet inspection..." link above. I'm not going to debate whether this is unacceptable or not, but there is a workaround - just use the search bar. As someone who does not do searches in the address bar that seems OK to me.
  • Wire Fraud? (Score:5, Insightful)

    by lobsterGun (415085) on Wednesday April 27, 2011 @10:03AM (#35952302)

    Wire Fraud:

    Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice, shall be fined under this title or imprisoned not more than 20 years, or both. If the violation affects a financial institution, such person shall be fined not more than $1,000,000 or imprisoned not more than 30 years, or both.

    A customer is asking for one web page, mediacom is substituting another for monetary gain. How is this not wire fraud?

    • by Rob the Bold (788862) on Wednesday April 27, 2011 @10:22AM (#35952488)

      Wire Fraud:

      Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice, shall be fined under this title or imprisoned not more than 20 years, or both. If the violation affects a financial institution, such person shall be fined not more than $1,000,000 or imprisoned not more than 30 years, or both.

      A customer is asking for one web page, mediacom is substituting another for monetary gain. How is this not wire fraud?

      Market cap.

  • by fallen1 (230220) on Wednesday April 27, 2011 @10:04AM (#35952308) Homepage

    that Mediacom, by using this technique to redirect certain traffic, are in fact violating 18 U.S.C. 1030 (Fraud and Related Activity in Connection with Computers) by committing just that -- FRAUD. If I go to Google to search for an explanation of a math problem but all of my traffic is routed through Mediacom's system first and I then get responses from Mediacom that looks like they are coming from Google - that is fraud. Pure and simple. I _trust_ Google (for the most part) to give me the information I am seeking. I don't trust my ISP that is redirecting traffic and injecting their own ads to increase their profit margins. The ISP exists solely to move data, un-accosted except for "traffic shaping", across their wires. If I type in www.google.com and start a search, by all that is holy and unholy my data had better be going to Google and not be redirected to point B before reaching Google -- isn't that, technically, a man-in-the-middle attack? Which is also a violation of 18 U.S.C. 1030 I believe.

    I hate that the United States is lawsuit happy but, let's face it, hitting these assholes in their pocketbooks are probably the only thing that will get them to cease and desist. Even then they'll keep trying or buy immunity or something. Until then though, I'm down with cleaning out their ill-gotten and misdirected coffers.

    NOTE: I am not a lawyer and this is not legal advice.

  • Charter was doing this for a while. Really annoying. And the link to click to opt out was at the smallest font they could find. Finally got it fixed. Was not happy - if I go to Google.com, or search google in my address bar, I expect to go to Google!

    ISP level redirects should be illegal. What is to stop some hacker from coming in to the ISP and redirecting traffic from bankofamerica.com to a look-a-like site? Worse yet, what would happen if their DNS lookup table (or whatever its called) gets propigated? Or

  • by level_headed_midwest (888889) on Wednesday April 27, 2011 @10:13AM (#35952404)
    I have Mediacom's internet service and the solution is to use a different DNS server other than the ones Mediacom provides. I use Level3's DNS servers (4.2.2.2 and 4.2.2.3) for my DNS lookups and I do not get any redirects. You can either manually set the DNS servers on your computer or set them at the router.
    • I have Mediacom's internet service and the solution is to use a different DNS server other than the ones Mediacom provides. I use Level3's DNS servers (4.2.2.2 and 4.2.2.3) for my DNS lookups and I do not get any redirects. You can either manually set the DNS servers on your computer or set them at the router.

      The Mediacom DNSs are a double-whammy -- or rather avoiding them is double-plus-good. I get a lot of 404s from Mediacom -- and the resultant redirect -- even for valid URLs ("http://www.google.com not found . . ."). I kind of have to wonder if the "DNS problems" are intentional or just a happy coincidence for them.

    • by Frozen-Solid (569348) <frozen@frozen-solid.net> on Wednesday April 27, 2011 @10:32AM (#35952628) Homepage
      This doesn't work. I'm on Mediacom and use Google DNS. None the less if I type in http://validsite.com/invalidurlgoeshere/ [validsite.com] rather than being served a proper 404 I get forwarded to Mediacom's private search engine. They're using deep packet inspection to hijack any default apache or iis 404 response from a website and redirect it to themselves. Level3 DNS, Google DNS, and Open DNS all work to fix the issue of my failed DNS queries being hijacked, but it doesn't fix 404s.
    • Google's DNS servers at 8.8.8.8 and 8.8.4.4 are also good free, standards compliant DNS servers.
    • by level_headed_midwest (888889) on Wednesday April 27, 2011 @10:47AM (#35952794)
      Ah, I forgot, you also need to add "127.0.0.1 assist.mediacomcable.com" to your /etc/hosts. assist.mediacomcable.com is the server that does the page display for their NXDOMAIN hijacking. Adding the line to /etc/hosts and not using Mediacom's DNS servers results in a "page not found" error when having a 404 error.
  • Not seeing it.
    http://search.mediacomcable.com/prefs.php

    Disable, Disable, Disable...

  • Get a content provider to file a DMCA take down request against Mediacom. Or file with our friends the *AA

    The content provider creates a copyright protected page representation. Mediacom is violating the copyright by modifying the representation on the fly.

    The DMCA notice to Mediacom should say "stop this or be forced off line" and "Have a nice day"

  • Anyone using Mediacom, please run Netalyzr ( http://netalyzr.icsi.berkeley.edu [berkeley.edu]) and post the results link, this might be able to detect whatever manipulation is ongoing.

    Thanks!

  • There are actually several courses of action available to you. As others have mentioned, lobbying your state legilators to get the law changed is one (this will probably require that you become politically active and get other people to support your position). Another option is to complain to your state Public Utilities Commission (or whatever your state calls the body that regulates the behavior of state granted monopolies--every state that I know of has one). Contact your state legislator and complain. Be

A bug in the code is worth two in the documentation.

Working...